Securing IPsec with keynote(5) and pf(4)
This approach has a few problems and can't be relied on as a single solution
very hard to debug
syntax is very cumbersome
limited usefulness when filtering roaming users
only effective to filter negotiations